{"result": {"debian": [{"published": "2008-01-06T00:00:00", "type": "debian", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.1}, "description": "Several local/remote vulnerabilities have been discovered in the MySQL database server. The Common Vulnerabilities and Exposures project identifies the following problems: \n\n * [CVE-2007-3781](<https://security-tracker.debian.org/tracker/CVE-2007-3781>)\n\nIt was discovered that the privilege validation for the source table of CREATE TABLE LIKE statements was insufficiently enforced, which might lead to information disclosure. This is only exploitable by authenticated users. \n\n * [CVE-2007-5969](<https://security-tracker.debian.org/tracker/CVE-2007-5969>)\n\nIt was discovered that symbolic links were handled insecurely during the creation of tables with DATA DIRECTORY or INDEX DIRECTORY statements, which might lead to denial of service by overwriting data. This is only exploitable by authenticated users. \n\n * [CVE-2007-6304](<https://security-tracker.debian.org/tracker/CVE-2007-6304>)\n\nIt was discovered that queries to data in a FEDERATED table can lead to a crash of the local database server, if the remote server returns information with less columns than expected, resulting in denial of service. \n\nThe old stable distribution (sarge) doesn't contain mysql-dfsg-5.0. \n\nFor the stable distribution (etch), these problems have been fixed in version 5.0.32-7etch4. \n\nFor the unstable distribution (sid), these problems have been fixed in version 5.0.51-1. \n\nWe recommend that you upgrade your mysql-dfsg-5.0 packages.", "title": "mysql-dfsg-5.0 -- several vulnerabilities", "lastseen": "2016-09-02T18:29:17", "cvelist": ["CVE-2007-3781", "CVE-2007-5969", "CVE-2007-6304"], "href": "http://www.debian.org/security/dsa-1451", "id": "DSA-1451"}], "oraclelinux": [{"published": "2008-05-30T00:00:00", "type": "oraclelinux", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.1}, "description": "[5.0.45-7]\n- Adjust thread stack requests to allow for platform-specific guard page size;\n necessary to prevent stack overrun on PPC with RHEL5's 64K page size.\nResolves: #435391\n- Remove calendar-dependent queries from 'view' test; necessary to get\n regression tests to pass after 2007.\n[5.0.45-6]\n- Back-port upstream fixes for CVE-2007-5925, CVE-2007-5969, CVE-2007-6303.\nResolves: #422211\n[5.0.45-1]\n- Update to MySQL 5.0.45\nResolves: #256501, #240813, #246309, #254012\nResolves: #280811, #316451, #349121, #367131\n- Synchronize with current Fedora package, which is pretty well tested by now;\n see past bzs 245770, 241912, 233771, 221085, 223713, 203910, 193559, 199368\n[5.0.22-3]\n- Fix CVE-2007-3780: remote DOS via bad password length byte\nResolves: #257681", "title": "mysql security and bug fix update", "lastseen": "2016-09-04T11:16:48", "cvelist": ["CVE-2007-6303", "CVE-2007-2583", "CVE-2007-3780", "CVE-2006-7232", "CVE-2006-4227", "CVE-2007-3781", "CVE-2006-4031", "CVE-2007-1420", "CVE-2007-5925", "CVE-2007-3782", "CVE-2007-5969", "CVE-2006-0903", "CVE-2007-2692", "CVE-2007-2691"], "href": "http://linux.oracle.com/errata/ELSA-2008-0364.html", "id": "ELSA-2008-0364"}], "ubuntu": [{"published": "2007-12-20T00:00:00", "type": "ubuntu", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.1}, "description": "Joe Gallo and Artem Russakovskii discovered that the InnoDB \nengine in MySQL did not properly perform input validation. An \nauthenticated user could use a crafted CONTAINS statement to \ncause a denial of service. ([CVE-2007-5925](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2007-5925>))\n\nIt was discovered that under certain conditions MySQL could be \nmade to overwrite system table information. An authenticated \nuser could use a crafted RENAME statement to escalate privileges. \n([CVE-2007-5969](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2007-5969>))\n\nPhilip Stoev discovered that the the federated engine of MySQL \ndid not properly handle responses with a small number of columns. \nAn authenticated user could use a crafted response to a SHOW \nTABLE STATUS query and cause a denial of service. ([CVE-2007-6304](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2007-6304>))\n\nIt was discovered that MySQL did not properly enforce access \ncontrols. An authenticated user could use a crafted CREATE TABLE \nLIKE statement to escalate privileges. ([CVE-2007-3781](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2007-3781>))", "title": "MySQL vulnerabilities", "lastseen": "2016-09-02T18:40:04", "cvelist": ["CVE-2007-3781", "CVE-2007-5925", "CVE-2007-5969", "CVE-2007-6304"], "href": "http://www.ubuntu.com:80/usn/usn-559-1", "id": "USN-559-1"}], "nessus": [{"published": "2007-08-21T00:00:00", "type": "nessus", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/", "score": 5.0}, "description": "The remote host is affected by the vulnerability described in GLSA-200708-10 (MySQL: Denial of Service and information leakage)\n\n Dormando reported a vulnerability within the handling of password packets in the connection protocol (CVE-2007-3780). Andrei Elkin also found that the 'CREATE TABLE LIKE' command didn't require SELECT privileges on the source table (CVE-2007-3781).\n Impact :\n\n A remote unauthenticated attacker could use the first vulnerability to make the server crash. The second vulnerability can be used by authenticated users to obtain information on tables they are not normally able to access.\n Workaround :\n\n There is no known workaround at this time.", "title": "GLSA-200708-10 : MySQL: Denial of Service and information leakage", "lastseen": "2016-09-26T17:24:53", "cvelist": ["CVE-2007-3780", "CVE-2007-3781"], "href": "https://www.tenable.com/plugins/index.php?view=single&id=25916", "id": "GENTOO_GLSA-200708-10.NASL"}, {"published": "2007-12-17T00:00:00", "type": "nessus", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.1}, "description": "New mysql packages are available for Slackware 11.0, 12.0, and\n-current to fix bugs and security issues.", "title": "Slackware 11.0 / 12.0 / current : mysql (SSA:2007-348-01)", "lastseen": "2016-09-26T17:25:32", "cvelist": ["CVE-2007-3781", "CVE-2007-5925", "CVE-2007-5969"], "href": "https://www.tenable.com/plugins/index.php?view=single&id=29704", "id": "SLACKWARE_SSA_2007-348-01.NASL"}, {"published": "2007-12-13T00:00:00", "type": "nessus", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/", "score": 5.0}, "description": "This update provides fixes for :\n\n - remote triggerable crash. (CVE-2007-3780)\n\n - query tables without propper authorisation.\n (CVE-2007-3781)\n\n - gain update privileges without propper authorisation.\n (CVE-2007-3782)", "title": "SuSE 10 Security Update : MySQL (ZYPP Patch Number 4376)", "lastseen": "2016-09-26T17:23:11", "cvelist": ["CVE-2007-3780", "CVE-2007-3781", "CVE-2007-3782"], "href": "https://www.tenable.com/plugins/index.php?view=single&id=29525", "id": "SUSE_MYSQL-4376.NASL"}, {"published": "2007-07-25T00:00:00", "type": "nessus", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/", "score": 5.0}, "description": "The version of MySQL Community Server installed on the remote host is reportedly affected by a denial of service vulnerability that can lead to a server crash with a specially crafted password packet. \n\nIt is also affected by a privilege escalation vulnerability because 'CREATE TABLE LIKE' does not require any privileges on the source table, which allows an attacker to create arbitrary tables using the affected application.", "title": "MySQL Community Server 5.0 < 5.0.45 Multiple Vulnerabilities", "lastseen": "2016-11-29T05:33:50", "cvelist": ["CVE-2007-3780", "CVE-2007-3781", "CVE-2007-3782"], "href": "https://www.tenable.com/plugins/index.php?view=single&id=25759", "id": "MYSQL_5_0_45.NASL"}, {"published": "2007-10-17T00:00:00", "type": "nessus", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/", "score": 5.0}, "description": "This update provides fixes for :\n\n - CVE-2007-3780: remote triggerable crash\n\n - CVE-2007-3781: query tables without propper authorisation\n\n - CVE-2007-3782: gain update privileges without propper authorisation", "title": "openSUSE 10 Security Update : mysql (mysql-4375)", "lastseen": "2016-09-26T17:25:41", "cvelist": ["CVE-2007-3780", "CVE-2007-3781", "CVE-2007-3782"], "href": "https://www.tenable.com/plugins/index.php?view=single&id=27359", "id": "SUSE_MYSQL-4375.NASL"}, {"published": "2008-01-07T00:00:00", "type": "nessus", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.1}, "description": "Several local/remote vulnerabilities have been discovered in the MySQL database server. The Common Vulnerabilities and Exposures project identifies the following problems :\n\n - CVE-2007-3781 It was discovered that the privilege validation for the source table of CREATE TABLE LIKE statements was insufficiently enforced, which might lead to information disclosure. This is only exploitable by authenticated users.\n\n - CVE-2007-5969 It was discovered that symbolic links were handled insecurely during the creation of tables with DATA DIRECTORY or INDEX DIRECTORY statements, which might lead to denial of service by overwriting data. This is only exploitable by authenticated users.\n\n - CVE-2007-6304 It was discovered that queries to data in a FEDERATED table can lead to a crash of the local database server, if the remote server returns information with less columns than expected, resulting in denial of service.", "title": "Debian DSA-1451-1 : mysql-dfsg-5.0 - several vulnerabilities", "lastseen": "2016-09-26T17:23:33", "cvelist": ["CVE-2007-3781", "CVE-2007-5969", "CVE-2007-6304"], "href": "https://www.tenable.com/plugins/index.php?view=single&id=29860", "id": "DEBIAN_DSA-1451.NASL"}, {"published": "2007-12-11T00:00:00", "type": "nessus", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.1}, "description": "A vulnerability in MySQL prior to 5.0.45 did not require priveliges such as SELECT for the source table in a CREATE TABLE LIKE statement, allowing remote authenticated users to obtain sensitive information such as the table structure (CVE-2007-3781).\n\nA vulnerability in the InnoDB engine in MySQL allowed remote authenticated users to cause a denial of service (database crash) via certain CONTAINS operations on an indexed column, which triggered an assertion error (CVE-2007-5925).\n\nUsing RENAME TABLE against a table with explicit DATA DIRECTORY and INDEX DIRECTORY options could be used to overwrite system table information by replacing the file to which a symlink pointed to (CVE-2007-5969).\n\nThe updated packages have been patched to correct these issues.", "title": "Mandrake Linux Security Advisory : MySQL (MDKSA-2007:243)", "lastseen": "2016-11-29T05:35:22", "cvelist": ["CVE-2007-3781", "CVE-2007-5925", "CVE-2007-5969"], "href": "https://www.tenable.com/plugins/index.php?view=single&id=29300", "id": "MANDRAKE_MDKSA-2007-243.NASL"}, {"published": "2007-12-24T00:00:00", "type": "nessus", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.1}, "description": "Joe Gallo and Artem Russakovskii discovered that the InnoDB engine in MySQL did not properly perform input validation. An authenticated user could use a crafted CONTAINS statement to cause a denial of service.\n(CVE-2007-5925)\n\nIt was discovered that under certain conditions MySQL could be made to overwrite system table information. An authenticated user could use a crafted RENAME statement to escalate privileges. (CVE-2007-5969)\n\nPhilip Stoev discovered that the the federated engine of MySQL did not properly handle responses with a small number of columns. An authenticated user could use a crafted response to a SHOW TABLE STATUS query and cause a denial of service. (CVE-2007-6304)\n\nIt was discovered that MySQL did not properly enforce access controls.\nAn authenticated user could use a crafted CREATE TABLE LIKE statement to escalate privileges. (CVE-2007-3781).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "title": "Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : mysql-dfsg-5.0 vulnerabilities (USN-559-1)", "lastseen": "2016-12-02T05:34:38", "cvelist": ["CVE-2007-3781", "CVE-2007-5925", "CVE-2007-5969", "CVE-2007-6304"], "href": "https://www.tenable.com/plugins/index.php?view=single&id=29793", "id": "UBUNTU_USN-559-1.NASL"}, {"published": "2008-05-22T00:00:00", "type": "nessus", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.5}, "description": "Updated mysql packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having low security impact by the Red Hat Security Response Team.\n\nMySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld), and many different client programs and libraries.\n\nMySQL did not require privileges such as 'SELECT' for the source table in a 'CREATE TABLE LIKE' statement. An authenticated user could obtain sensitive information, such as the table structure. (CVE-2007-3781)\n\nA flaw was discovered in MySQL that allowed an authenticated user to gain update privileges for a table in another database, via a view that refers to the external table. (CVE-2007-3782)\n\nMySQL did not require the 'DROP' privilege for 'RENAME TABLE' statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691)\n\nA flaw was discovered in the mysql_change_db function when returning from SQL SECURITY INVOKER stored routines. An authenticated user could use this flaw to gain database privileges. (CVE-2007-2692)\n\nMySQL allowed an authenticated user to bypass logging mechanisms via SQL queries that contain the NULL character, which were not properly handled by the mysql_real_query function. (CVE-2006-0903)\n\nMySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the '--skip-merge' option. (CVE-2006-4031)\n\nMySQL evaluated arguments in the wrong security context, which allowed an authenticated user to gain privileges through a routine that had been made available using 'GRANT EXECUTE'. (CVE-2006-4227)\n\nMultiple flaws in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-7232, CVE-2007-1420, CVE-2007-2583)\n\nAs well, these updated packages fix the following bugs :\n\n* a separate counter was used for 'insert delayed' statements, which caused rows to be discarded. In these updated packages, 'insert delayed' statements no longer use a separate counter, which resolves this issue.\n\n* due to a bug in the Native POSIX Thread Library, in certain situations, 'flush tables' caused a deadlock on tables that had a read lock. The mysqld daemon had to be killed forcefully. Now, 'COND_refresh' has been replaced with 'COND_global_read_lock', which resolves this issue.\n\n* mysqld crashed if a query for an unsigned column type contained a negative value for a 'WHERE [column] NOT IN' subquery.\n\n* in master and slave server situations, specifying 'on duplicate key update' for 'insert' statements did not update slave servers.\n\n* in the mysql client, empty strings were displayed as 'NULL'. For example, running 'insert into [table-name] values (' ');' resulted in a 'NULL' entry being displayed when querying the table using 'select * from [table-name];'.\n\n* a bug in the optimizer code resulted in certain queries executing much slower than expected.\n\n* on 64-bit PowerPC architectures, MySQL did not calculate the thread stack size correctly, which could have caused MySQL to crash when overly-complex queries were used.\n\nNote: these updated packages upgrade MySQL to version 5.0.45. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0.html\n\nAll mysql users are advised to upgrade to these updated packages, which resolve these issues.", "title": "RHEL 5 : mysql (RHSA-2008:0364)", "lastseen": "2016-09-26T17:25:02", "cvelist": ["CVE-2007-2583", "CVE-2006-7232", "CVE-2006-4227", "CVE-2007-3781", "CVE-2006-4031", "CVE-2007-1420", "CVE-2007-3782", "CVE-2006-0903", "CVE-2007-2692", "CVE-2007-2691"], "href": "https://www.tenable.com/plugins/index.php?view=single&id=32425", "id": "REDHAT-RHSA-2008-0364.NASL"}, {"published": "2012-08-01T00:00:00", "type": "nessus", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.5}, "description": "MySQL did not require privileges such as 'SELECT' for the source table in a 'CREATE TABLE LIKE' statement. An authenticated user could obtain sensitive information, such as the table structure. (CVE-2007-3781)\n\nA flaw was discovered in MySQL that allowed an authenticated user to gain update privileges for a table in another database, via a view that refers to the external table. (CVE-2007-3782)\n\nMySQL did not require the 'DROP' privilege for 'RENAME TABLE' statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691)\n\nA flaw was discovered in the mysql_change_db function when returning from SQL SECURITY INVOKER stored routines. An authenticated user could use this flaw to gain database privileges. (CVE-2007-2692)\n\nMySQL allowed an authenticated user to bypass logging mechanisms via SQL queries that contain the NULL character, which were not properly handled by the mysql_real_query function. (CVE-2006-0903)\n\nMySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the '--skip-merge' option. (CVE-2006-4031)\n\nMySQL evaluated arguments in the wrong security context, which allowed an authenticated user to gain privileges through a routine that had been made available using 'GRANT EXECUTE'. (CVE-2006-4227)\n\nMultiple flaws in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-7232, CVE-2007-1420, CVE-2007-2583)\n\nAs well, these updated packages fix the following bugs :\n\n - a separate counter was used for 'insert delayed' statements, which caused rows to be discarded. In these updated packages, 'insert delayed' statements no longer use a separate counter, which resolves this issue.\n\n - due to a bug in the Native POSIX Thread Library, in certain situations, 'flush tables' caused a deadlock on tables that had a read lock. The mysqld daemon had to be killed forcefully. Now, 'COND_refresh' has been replaced with 'COND_global_read_lock', which resolves this issue.\n\n - mysqld crashed if a query for an unsigned column type contained a negative value for a 'WHERE [column] NOT IN' subquery.\n\n - in master and slave server situations, specifying 'on duplicate key update' for 'insert' statements did not update slave servers.\n\n - in the mysql client, empty strings were displayed as 'NULL'. For example, running 'insert into [table-name] values (' ');' resulted in a 'NULL' entry being displayed when querying the table using 'select * from [table-name];'.\n\n - a bug in the optimizer code resulted in certain queries executing much slower than expected.\n\n - on 64-bit PowerPC architectures, MySQL did not calculate the thread stack size correctly, which could have caused MySQL to crash when overly-complex queries were used.\n\nNote: these updated packages upgrade MySQL to version 5.0.45. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0.html", "title": "Scientific Linux Security Update : mysql on SL5.x i386/x86_64", "lastseen": "2016-09-26T17:25:42", "cvelist": ["CVE-2007-2583", "CVE-2006-7232", "CVE-2006-4227", "CVE-2007-3781", "CVE-2006-4031", "CVE-2007-1420", "CVE-2007-3782", "CVE-2006-0903", "CVE-2007-2692", "CVE-2007-2691"], "href": "https://www.tenable.com/plugins/index.php?view=single&id=60406", "id": "SL_20080521_MYSQL_ON_SL5_X.NASL"}], "redhat": [{"published": "2008-05-20T04:00:00", "type": "redhat", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.5}, "description": "MySQL is a multi-user, multi-threaded SQL database server. MySQL is a\r\nclient/server implementation consisting of a server daemon (mysqld), and\r\nmany different client programs and libraries.\r\n\r\nMySQL did not require privileges such as \"SELECT\" for the source table in a\r\n\"CREATE TABLE LIKE\" statement. An authenticated user could obtain sensitive\r\ninformation, such as the table structure. (CVE-2007-3781)\r\n\r\nA flaw was discovered in MySQL that allowed an authenticated user to gain\r\nupdate privileges for a table in another database, via a view that refers\r\nto the external table. (CVE-2007-3782)\r\n\r\nMySQL did not require the \"DROP\" privilege for \"RENAME TABLE\" statements.\r\nAn authenticated user could use this flaw to rename arbitrary tables.\r\n(CVE-2007-2691)\r\n\r\nA flaw was discovered in the mysql_change_db function when returning from\r\nSQL SECURITY INVOKER stored routines. An authenticated user could use this\r\nflaw to gain database privileges. (CVE-2007-2692)\r\n\r\nMySQL allowed an authenticated user to bypass logging mechanisms via SQL\r\nqueries that contain the NULL character, which were not properly handled by\r\nthe mysql_real_query function. (CVE-2006-0903)\r\n\r\nMySQL allowed an authenticated user to access a table through a previously\r\ncreated MERGE table, even after the user's privileges were revoked from\r\nthe original table, which might violate intended security policy. This is\r\naddressed by allowing the MERGE storage engine to be disabled, which can\r\nbe done by running mysqld with the \"--skip-merge\" option. (CVE-2006-4031)\r\n\r\nMySQL evaluated arguments in the wrong security context, which allowed an\r\nauthenticated user to gain privileges through a routine that had been made\r\navailable using \"GRANT EXECUTE\". (CVE-2006-4227)\r\n\r\nMultiple flaws in MySQL allowed an authenticated user to cause the MySQL\r\ndaemon to crash via crafted SQL queries. This only caused a temporary\r\ndenial of service, as the MySQL daemon is automatically restarted after the\r\ncrash. (CVE-2006-7232, CVE-2007-1420, CVE-2007-2583)\r\n\r\nAs well, these updated packages fix the following bugs:\r\n\r\n* a separate counter was used for \"insert delayed\" statements, which caused\r\nrows to be discarded. In these updated packages, \"insert delayed\"\r\nstatements no longer use a separate counter, which resolves this issue.\r\n\r\n* due to a bug in the Native POSIX Thread Library, in certain situations,\r\n\"flush tables\" caused a deadlock on tables that had a read lock. The mysqld\r\ndaemon had to be killed forcefully. Now, \"COND_refresh\" has been replaced\r\nwith \"COND_global_read_lock\", which resolves this issue.\r\n\r\n* mysqld crashed if a query for an unsigned column type contained a\r\nnegative value for a \"WHERE [column] NOT IN\" subquery.\r\n\r\n* in master and slave server situations, specifying \"on duplicate key\r\nupdate\" for \"insert\" statements did not update slave servers.\r\n\r\n* in the mysql client, empty strings were displayed as \"NULL\". For\r\nexample, running \"insert into [table-name] values (' ');\" resulted in a\r\n\"NULL\" entry being displayed when querying the table using \"select * from\r\n[table-name];\".\r\n\r\n* a bug in the optimizer code resulted in certain queries executing much\r\nslower than expected.\r\n\r\n* on 64-bit PowerPC architectures, MySQL did not calculate the thread stack\r\nsize correctly, which could have caused MySQL to crash when overly-complex\r\nqueries were used.\r\n\r\nNote: these updated packages upgrade MySQL to version 5.0.45. For a full\r\nlist of bug fixes and enhancements, refer to the MySQL release notes:\r\nhttp://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0.html\r\n\r\nAll mysql users are advised to upgrade to these updated packages, which\r\nresolve these issues.", "title": "(RHSA-2008:0364) Low: mysql security and bug fix update", "lastseen": "2016-09-04T11:17:58", "cvelist": ["CVE-2007-2583", "CVE-2006-7232", "CVE-2006-4227", "CVE-2007-3781", "CVE-2006-4031", "CVE-2007-1420", "CVE-2007-3782", "CVE-2006-0903", "CVE-2007-2692", "CVE-2007-2691"], "href": "https://access.redhat.com/errata/RHSA-2008:0364", "id": "RHSA-2008:0364"}], "openvas": [{"published": "2008-09-24T00:00:00", "type": "openvas", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/", "score": 5.0}, "description": "The remote host is missing updates announced in\nadvisory GLSA 200708-10.", "title": "Gentoo Security Advisory GLSA 200708-10 (mysql)", "lastseen": "2016-11-11T16:45:50", "cvelist": ["CVE-2007-3780", "CVE-2007-3781"], "href": "http://plugins.openvas.org/nasl.php?oid=58545", "id": "OPENVAS:58545"}, {"published": "2008-01-17T00:00:00", "type": "openvas", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.1}, "description": "The remote host is missing an update to mysql-dfsg-5.0\nannounced via advisory DSA 1451-1.", "title": "Debian Security Advisory DSA 1451-1 (mysql-dfsg-5.0)", "lastseen": "2016-09-26T20:41:43", "cvelist": ["CVE-2007-3781", "CVE-2007-5969", "CVE-2007-6304"], "href": "http://plugins.openvas.org/nasl.php?oid=60106", "id": "OPENVAS:60106"}, {"published": "2012-09-11T00:00:00", "type": "openvas", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.1}, "description": "The remote host is missing an update as announced\nvia advisory SSA:2007-348-01.", "title": "Slackware Advisory SSA:2007-348-01 mysql", "lastseen": "2016-09-26T20:39:08", "cvelist": ["CVE-2007-3781", "CVE-2007-5925", "CVE-2007-5969"], "href": "http://plugins.openvas.org/nasl.php?oid=60017", "id": "OPENVAS:60017"}, {"published": "2009-04-09T00:00:00", "type": "openvas", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.1}, "description": "Check for the Version of MySQL", "title": "Mandriva Update for MySQL MDKSA-2007:243 (MySQL)", "lastseen": "2016-09-26T20:41:25", "cvelist": ["CVE-2007-3781", "CVE-2007-5925", "CVE-2007-5969"], "href": "http://plugins.openvas.org/nasl.php?oid=830032", "id": "OPENVAS:830032"}, {"published": "2009-03-23T00:00:00", "type": "openvas", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.1}, "description": "Ubuntu Update for Linux kernel vulnerabilities USN-559-1", "title": "Ubuntu Update for mysql-dfsg-5.0 vulnerabilities USN-559-1", "lastseen": "2016-09-26T20:41:13", "cvelist": ["CVE-2007-3781", "CVE-2007-5925", "CVE-2007-5969", "CVE-2007-6304"], "href": "http://plugins.openvas.org/nasl.php?oid=840106", "id": "OPENVAS:840106"}, {"published": "2009-03-06T00:00:00", "type": "openvas", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.5}, "description": "Check for the Version of mysql", "title": "RedHat Update for mysql RHSA-2008:0364-01", "lastseen": "2016-09-26T20:41:29", "cvelist": ["CVE-2007-2583", "CVE-2006-7232", "CVE-2006-4227", "CVE-2007-3781", "CVE-2006-4031", "CVE-2007-1420", "CVE-2007-3782", "CVE-2006-0903", "CVE-2007-2692", "CVE-2007-2691"], "href": "http://plugins.openvas.org/nasl.php?oid=870069", "id": "OPENVAS:870069"}, {"published": "2015-10-08T00:00:00", "type": "openvas", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.1}, "description": "Oracle Linux Local Security Checks ELSA-2008-0364", "title": "Oracle Linux Local Check: ELSA-2008-0364", "lastseen": "2016-11-16T16:43:38", "cvelist": ["CVE-2007-6303", "CVE-2007-2583", "CVE-2007-3780", "CVE-2006-7232", "CVE-2006-4227", "CVE-2007-3781", "CVE-2006-4031", "CVE-2007-1420", "CVE-2007-5925", "CVE-2007-3782", "CVE-2007-5969", "CVE-2006-0903", "CVE-2007-2692", "CVE-2007-2691"], "href": "http://plugins.openvas.org/nasl.php?oid=122583", "id": "OPENVAS:122583"}], "slackware": [{"published": "2007-12-14T18:03:51", "type": "slackware", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.1}, "description": "New mysql packages are available for Slackware 11.0, 12.0, and -current to\nfix bugs and security issues.\n\nMore details about this issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3781\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5925\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5969\n\nAnd more information (including about a potentially incompatible change) may\nbe found in the release notes:\n\n http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-51.html\n\n\nHere are the details from the Slackware 12.0 ChangeLog:\n\npatches/packages/mysql-5.0.51-i486-1_slack12.0.tgz:\n Upgraded to mysql-5.0.51.\n This release fixes several bugs, including some security issues.\n However, it also includes a potentially incompatible change, so be sure\n to read the release notes before upgrading. It is possible that some\n databases will need to be fixed in order to work with this (and future)\n releases:\n http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-51.html\n For more information about the security issues fixed, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3781\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5925\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5969\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 11.0:\nftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/mysql-5.0.51-i486-1_slack11.0.tgz\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/mysql-5.0.51-i486-1_slack12.0.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/mysql-5.0.51-i486-1.tgz\n\n\nMD5 signatures:\n\nSlackware 11.0 package:\na2bfdbfdd26607b0a798478948d46e08 mysql-5.0.51-i486-1_slack11.0.tgz\n\nSlackware 12.0 package:\n3621e8ad0fb49ee53bb8c3a90e6441a6 mysql-5.0.51-i486-1_slack12.0.tgz\n\nSlackware -current package:\n4dc21329a518ffc6c5ed819d2ec5a84c mysql-5.0.51-i486-1.tgz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg mysql-5.0.51-i486-1_slack12.0.tgz\n\nThen, restart mysql.", "title": "mysql", "lastseen": "2016-09-07T19:54:41", "cvelist": ["CVE-2007-3781", "CVE-2007-5925", "CVE-2007-5969"], "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.428959", "id": "SSA-2007-348-01"}], "gentoo": [{"published": "2007-08-16T00:00:00", "type": "gentoo", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/", "score": 5.0}, "description": "### Background\n\nMySQL is a popular multi-threaded, multi-user SQL server. \n\n### Description\n\nDormando reported a vulnerability within the handling of password packets in the connection protocol (CVE-2007-3780). Andrei Elkin also found that the \"CREATE TABLE LIKE\" command didn't require SELECT privileges on the source table (CVE-2007-3781). \n\n### Impact\n\nA remote unauthenticated attacker could use the first vulnerability to make the server crash. The second vulnerability can be used by authenticated users to obtain information on tables they are not normally able to access. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll MySQL users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-db/mysql-5.0.44\"", "title": "MySQL: Denial of Service and information leakage", "lastseen": "2016-09-06T19:46:54", "cvelist": ["CVE-2007-3780", "CVE-2007-3781"], "href": "https://security.gentoo.org/glsa/200708-10", "id": "GLSA-200708-10"}]}}